Cybersecurity and the tragedy of internet commons

Elisabetta Zaccaria, Strategic Advisor to Secure Chorus, discusses how we may be facing a tragedy of the internet commons problem. Is the way forward to revert to government-mandated regulation instead of market self-regulation to address global cybersecurity risks?

Top on the agenda of this year’s World Economic Forum Global Risk Report 2020 are climate change, cybersecurity risks and geopolitical instability. The report contains the stark warning that, ‘when the challenges before us demand immediate collective action, fractures within the global community appear to only be widening’.

The theory of the tragedy of the commons dates back to the 19^th century British economist William Forster Lloyd, who analysed the hypothetical example of the effects of unregulated grazing on common land (‘commons’) in Great Britain and Ireland. It is an economic problem in which there is a shared resource where individual users, acting independently according to their own self-interest, behave contrary to the common good of all users.

Limitations of industry self-regulation

Free markets and industry self-regulation are the most efficient and best mechanism for managing most economic activities. But when they operate in arenas in which they touch upon commons – such as the global digital environment – it becomes challenging.

In response to the fractures in the global community reported by the WEF, let’s first have a look at polycentric regulatory regimes which appear to be a major contributor to the problem.  These regimes allow regulation to come from more than just one central authority. It recognises that, in addition to nation states, private industry and civil society contribute to the shaping of collective decisions.

There are three questions we should consider when assessing how these regulatory regimes may be hindering collective action.

First, polycentric governance presupposes that anyone with a ‘stake’ in the issue has a right to be involved. This raises questions about who should be given the authority to decide if someone can be considered to have a legitimate ‘stake’, while others do not.

Second, is it correct to consider governments and industry as equals, when the mandate of government is to work for the common good of its citizens, while private industry’s mandate is primarily profit maximisation?

Third, with the polycentric model, accountability tends to be in the hands of self-appointed actors. The question is this: given the scale of the challenge, is it appropriate for non-state actors to unilaterally decide on who it is accountable to?

Given the fundamental nature of polycentric governance, how effective is industry self-regulation, (which is based on this model) at addressing all the required interests in relation to internet commons?

In fact, given the findings of the Global Risk Report 2020, we should question whether market-self regulation is the way forward for the internet commons, in the light of its failure to achieve the required results.

GDPR, an example of government regulation

In 2018 the European Union issued the General Data Protection Regulation (GDPR), a regulatory framework in the field of personal data privacy and security which now applies to any business that processes personal data of an EU citizen, whether the business is based in the EU or not. If a business is in breach of the GDPR the fines are substantial. In this case, the decision was to go for mandatory regulation issued by government entities rather than allowing the market to self-regulate.

As a result of the GDPR, private industry is currently undergoing a major shake-up. All the while, billions are being spent on armies of lawyers and consultants, recruitment of new staff and expensive technology solutions.

Also, many tech companies that were created on the free or ‘freemium’ model (relying on collected data to lure in advertisers), are now discovering that the concept on which their business was built is being turned upside down.

On the other hand, some sectors are able to turn the new regulation to their advantage. For example, the legal and compliance industry, where new jobs are being created and new technologies are being developed.

In this case, the conflict of interest is self-evident. While some businesses are left counting the cost of implementing the GDPR, for others it has meant an increase to the bottom-line. What is also clear is that if governments hadn’t stepped in to mandate this regulation, industry self-regulation would have been hard, if not impossible.

There are of course many benefits to be gained from market self-regulation. However, we should consider government-led mandatory regulation to be the way forward on matters from which we are collectively at risk and so avoid our rapidly maturing digital landscape becoming a very modern example of the tragedy of the commons.